SERVFAIL when unbound forward-addr is an ssh forward port tunnel
Wouter Wijngaards
wouter at nlnetlabs.nl
Mon Jun 17 07:08:22 UTC 2019
Hi,
You forgot to have
do-not-query-localhost: no
in the config file. This allows unbound to query hosts on the 127.0.0.1
and ::1 addresses, and is supposed to stop potential packet loops from
happening.
Best regards, Wouter
On 6/16/19 5:41 PM, ronvarburg--- via Unbound-users wrote:
> With
>
> -------------------------------------------------------------
> server:
> directory: "/etc/unbound"
> do-daemonize: no
> tcp-upstream: yes
> trust-anchor-file: trusted-key.key
> use-syslog: yes
> username: "unbound"
>
> forward-zone:
> name: "."
> forward-addr: 127.0.0.1 at 1053
> -------------------------------------------------------------
>
> and
> % ssh -L 127.0.0.1:1053:127.0.0.1:53 server
> ,
> % drill nameToQuery
>
> returns SERVFAIL. In fact, any query doesn't work.
> According to tcpdump -vv -x -X -s 1500 -i lo 'port 1053',
> nothing being sent to the forward-addr.
>
> While
> % drill -I 127.0.0.1 -p 1053 -4 -t nameToQuery
>
> succeeds. Is that expected, for example because it is inherent to the NS protocol?
> If it supposed to work, how to further debug it?
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190617/b101505f/attachment.bin>
More information about the Unbound-users
mailing list